Disciplines · 07 · Devices

Devices a business can afford to lose.

Most clients don't need to be sold on MDM. The license is probably already in the tenant. What turns heads is Autopilot — the idea that a new laptop can ship from a supplier, arrive at a new hire's front door, and be productive before anyone in IT has touched it. That moment is usually when the conversation starts. The real question isn't whether to roll out Intune. It's whether the team will still trust the system six months later.

The frame

Most clients aren't rescuing themselves. They're asking where to start.

Of all the disciplines on this list, Devices is the one that least often walks in wearing a crisis. SMBs rarely show up with a bad Intune deployment that needs cleaning up. SCCM almost never exists in this world — it's heavy, enterprise-scale, and expensive to run. What shows up instead is curiosity. A business has heard about MDM, knows there's a feature in the M365 licensing they've been paying for, and wants to know what it actually does.

That's the conversation. Not "help us fix this." "Help us understand what this is, and whether we should turn it on."

Intune has a quiet tendency to sit in a tenant, disabled, for years before anyone has the time to look at it. Of all the switches inside M365, it's the one that reaches the farthest into the user's experience — a policy decision in Intune is a policy decision on the laptop in their bag. Businesses treat it accordingly. The tenant-level toggles get turned on first; Intune gets turned on when the team feels ready for it, and sometimes that moment never comes.

Where we sit

Demand-led. Not pitched.

The license is almost always already in the tenant. The question has never been "should we pay for this" — the question is "should we turn it on, and if so, how." We don't walk in with a deployment plan in hand, and we don't pitch Intune to businesses that didn't raise it first.

What we find is that most clients who ask about Intune already know, at some level, that they need it. The call isn't about convincing them. It's about helping them understand what the tool is and what "good" looks like for a business their shape. Intune itself is well-documented — Microsoft has courses, YouTube has videos, resellers have decks. Understanding the tool isn't the hard part. Understanding how it should behave inside this particular business — what to turn on, what to hold back, what order to do it in — is the part that's worth an engagement.

Smaller businesses often benefit less. A compliance posture nobody's watching is a file cabinet. An Intune policy set nobody maintains starts to drift. MDM is like Defender — the tool only delivers what an operator extracts from it. The businesses where it earns its keep are the ones with enough scale, and enough commitment to the environment, to make someone genuinely responsible for it.

On the words we don't use We don't say a business "needs" Intune. We say it "benefits from" Intune. The difference matters. Needing implies a deficit. Benefiting implies a choice. Devices engagements go better when the business is choosing the capability, not being sold on a fix.
The shape of the rollout

No forklift. Ever.

The pattern that shows up again and again on a healthy Intune rollout isn't dramatic. A policy baseline, a pilot with a willing user, and then — often — Autopilot for new devices only, while the existing fleet stays on the old management system until hardware refresh retires it. The two systems sit side by side. The refresh cycle does the handoff. Nothing that works today gets unsettled.

The Devices rollout — old system fades as new system ramps, synced to hardware refresh cycle A horizontal timeline showing the legacy device management system as a tapered grey wedge that starts at full height on the left and narrows to near zero on the right, and the new Intune and Autopilot-based system as a tapered orange wedge that starts at near zero on the left and grows to full height on the right. The two wedges overlap in a coexistence zone labeled no forklift — refresh cycle does the handoff. Milestone markers along the axis: Baseline, Pilot, First Autopilot device, Steady-state coexistence, Last legacy device retired. LEGACY IMAGING INTUNE · AUTOPILOT BASELINE policy set · dev group PILOT one willing user FIRST AUTOPILOT new devices only STEADY STATE two systems, side by side LAST LEGACY retired at refresh coexistence · no forklift the refresh cycle does the handoff
The length of the ribbon is different for every client. The method isn't: new devices through Autopilot, old devices left alone, refresh cycle does the handoff.
The diagnostic

Whether the rollout worked — ask the IT team.

There's an easier way to evaluate an Intune deployment than auditing policies or reviewing compliance reports. Spend twenty minutes with the team running the environment. Confidence in control is the signal. When it's there, you can feel it in the first five minutes of the conversation. When it's not, that's equally apparent — and it's almost never about any single thing. It's a shape.

When the deployment has gone sideways, these are the tells: policy changes get approached with held breath, not pushed between meetings. The compliance dashboard gets cross-checked against a manual inventory, because nobody trusts what it's saying. Old scripts and legacy tooling are still running somewhere in the environment, because nobody wants to be the one to turn them off. App delivery is unpredictable — some devices pick up the install, some don't, and nobody's sure why.

When it's gone right, the inverse is true, and the absence is what you notice. The manual inventory is gone. The scripts are archived. Policy changes happen between meetings. App delivery is boring — you only notice it when someone asks when the new version is landing. The IT team isn't managing the tool. The tool is doing what it was set up to do.

The rollout playbook

What we do, in what order, every time.

The shape is almost identical across engagements. Less a project plan than a rhythm: each step earns the right to start the next. A clean rollout isn't about moving fast — it's about never having to undo a decision.

The rhythm

How a clean Intune rollout actually unfolds

  1. 01

    Policy baseline

    Device compliance, configuration profiles, and update rings set up first — in dev groups, before any device is enrolled. The business agrees to what "compliant" means before any laptop has to earn the label.

  2. 02

    Pilot with a willing user

    One laptop, one willing user — usually someone in IT first, then a sympathetic department head. Real enrollment, real compliance checks, real app delivery. Nothing gets promised to the rest of the business until the pilot is stable.

  3. 03

    Autopilot for new devices only

    As new hardware arrives — not old, not migrated, new — Autopilot takes it over. The shipping address becomes the provisioning address. The existing fleet stays on the legacy management system, untouched.

  4. 04

    Steady-state coexistence

    Most of the engagement lives here. New devices keep flowing in through Autopilot. The legacy system keeps the existing fleet stable. Nothing gets forced. Each hardware refresh becomes a handoff from old to new.

  5. 05

    Retirement at natural end-of-life

    The last legacy device gets refreshed. The old system is decommissioned. There is no "migration weekend" — only the last time someone images a laptop by hand. Most clients don't notice the crossover. That's the point.

What the business feels

A fleet the business barely thinks about.

The point of a well-run Devices engagement is that the business stops thinking about devices. They become infrastructure — quiet, reliable, and easily replaced. The list of what's different at the end is short. Each item matters.

  • A lost laptop is a shipping problemWipe the old device, drop a new one in the mail, or send the spec to the user and reimburse. The replacement cost is the hardware, not the scramble
  • New hires onboard through the courierThe sealed laptop arrives, the user signs in with their corporate account, and the device configures itself. Onboarding stops being an IT event
  • A compliance dashboard the IT team trustsSingle source of truth. Cross-checked against a manual spreadsheet. The spreadsheet is gone
  • Policy changes pushed between meetingsNot scheduled for change windows. Not approached with held breath. Done, tested, rolled out, done
  • App delivery that's boringYou only notice it when someone asks when the new version is landing. Most of the time, nobody asks
  • Room to grow without redesignWhatever scale the business reaches next, the device story doesn't have to be redrawn. The same tenant configuration handles ten laptops or a thousand
"Whether an Intune rollout worked isn't visible in the policies. It's visible in the IT team's confidence in control. When it's there, everything else is downstream." The stance on Devices

Connected to

01 · Identity

Identity & zero trust

Device compliance only matters if Conditional Access is reading it.

 04 · Security

Posture & incident response

Defender for Endpoint is the other half of the Intune story. They share the same signal.

 03 · Edge

Edge & perimeter

Managed devices are the compliance signal the modern perimeter is built on.

 06 · Workplace

Microsoft 365 as a workplace

The device is how people reach the workplace. The two disciplines travel together.

Book a call

Heard about Autopilot? Tired of imaging? Intune sitting untouched for two years?

If the license is already in the tenant and no one's ever given you a straight answer on whether it's worth turning on — the first conversation is the same one. What's actually in scope, what "good" looks like for a business your shape, and whether now is the moment or next year is.

Book a discovery call

Or reach us directly: info@fouronesixit.ca · (647) 371-0400